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Abstract 

We survey recent developments in the study of (worst-case) one-way functions 



having strong algebraic and security properties. According to [RS93|, this line of 
research was initiated in 1984 by Rivest and Sherman who designed two-party secret- 
key agreement protocols that use strongly noninvertible, total, associative one-way 
functions as their key building blocks. If commutativity is added as an ingredient, 
these protocols can be used by more than two parties, as noted by Rabi and Sher- 



man [RS93| who also developed digital signature protocols that are based on such 
enhanced one-way functions. 

Until recently, it was an open question whether one-way functions having the 
algebraic and security properties that these protocols require could be created from 



any given one-way function. Recently, Hemaspaandra and Rothe [HR99| resolved 
this open issue in the affirmative, by showing that one-way functions exist if and 
only if strong, total, commutative, associative one-way functions exist. 

We discuss this result, and the work of Rabi, Rivest, and Sherman, and recent 



work of Homan [Hom9£] that makes progress on related issues. 
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second author was visiting Friedrich-Schiller-Universitat Jena and while the fourth author was visiting 
the University of Rochester and the Rochester Institute of Technology. 
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1 Motivation 



Professor One: Hello, Professor Way! How's life? 

Professor Way: Very exciting indeed. I've developed some very exciting worst-case 
cryptographic protocols. If you read these papers and manuscripts of mine, you'll 
see how intuitively attractive, interesting, and exciting my protocols are. 

Professor One (spends 10 minutes skimming the papers as Professor Way waits pa- 
tiently): Wow... I am attracted, interested, and excited by those protocols. But 
wait. Is there some catch? 

Professor Way: Well, I do assume that we have, to use in the protocols, (worst-case) 
one-way functions that have various additional algebraic and security properties 
such as associativity, commutativity, and "strong" noninvertibility. 

Professor One: You're assuming WHATU?? Whether vanilla one-way functions exist 
is a major open research issue, and you're throwing in all sorts of wild extra re- 
quirements on one-way functions? Though like many people I believe that vanilla 
one-way functions exist, I have no similar intuition as to whether one-way func- 
tions exist with the many extra properties you are assuming. And so, I must view 
your protocols as less attractive than protocols built on the assumption that vanilla 
one-way functions exist. 



(Until recently, Professor Way would not have had any good reply at this point. However, 
due to the work this article is about, Professor Way does have a slam-dunk reply.) 



Professor Way: Your worries are completely natural, but nonetheless unfounded. The 
reason is that one can now prove that all those "wild" extra properties come for 
free. That is, it remains an open issue whether vanilla one-way functions exist. And 
it also remains an open issue whether spiffy (say, strongly noninvertible, total, 
commutative, associative) one-way functions exist. However, they are the same 
open issue: Spiffy one-way functions exist if and only if vanilla one-way functions 
exist. 
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2 Organization and Definitions 



Section |l] provided an example of why it may be useful to understand the interactions 
between one-way-ness and other properties. The present section gives the basic formal 
definitions. Section ^ summarizes the main results of the papers we survey. Section |I| 
sketches proofs of restricted cases of some of the results discussed. 
We now define the concepts important to this survey. 

Throughout this paper, we mainly deal with 2-ary functions, in particular functions 
mapping from X* x S* to £*, where £ = {0, 1} is our fixed alphabet. We use both 
prefix and infix notation for 2-ary functions a, i.e., o~(x,y) = xay. Unless explicitly 
stated as being total or one-to-one, the functions we consider are partial and potentially 
many-to-one. We assume that we have a pairing function (•, •) mapping S* x S* onto E* 
with the standard nice properties. 

Worst-case one-way functions have been studied by many researchers, see, e.g., the 



papers |GSl^ , [Ko^ , pel^ , [R^ . Definition [y presents the case of 2-ary 

one-way functions. 



Definition 2.1 (see, e.g., [ RS97 Q For any 2-ary function a : £* x S* — > £*, we say: 



• a is honest if a does not shrink its inputs more than by a polynomial amount, i.e., 
there is a polynomial p such that for every image element c of a, there is a domain 
element (a, b) of a satisfying aab = c and \a\ + |6| < p(|c|); 

• a is (polynomial-time) invertible if there exists a total, polynomial-time computable 
function g : X* — > S* x S* such that for every c in the image of a, a(g(c)) = c; 

• a is a one-way function if a is honest, polynomial-time computable, and nonin- 
vertible. 



As we will see in Section ||, if one-way functions possess certain algebraic properties 
such as associativity and commutativity, they may be useful as building blocks of some 
clever cryptographic protocols designed by Rivest, Rabi, and Sherman. The following 
definition is due to Hemaspaandra and Rothe HR9£ ].R 



Rabi and Sherman ]RS97[ use a different notion dubbed "weak associativity" in ]HR99{ : Any 2-ary 
function a is said to be weakly associative if the equality aa(bac) — (aab)ac holds for all a,b,c £ E* 
satisfying that both (a,b) and (b,c) are in the domain of a and if (a,b) and (b, c) are in the domain of a 
then so are (a, boc) and (aab, c). (Rabi and Sherman actually quantify over all a,b,c € E* satisfying that 
each of (a,b), (b,c), (a, boc), and (aob,c) is in the domain of o, a phrasing that is logically equivalent 
with our phrasing, but that may contain terms that are not well-defined: (aab, c) is not well-defined if 
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Definition 2.2 For any 2-ary function a : E* x E* -> E*, define the set r = E* U {_L} 
and an extension cr:rxr— >rofcras follows :0 



a(a, 6) 



<j(a, 6) if a 7^ _L and b 7^ ± and (a, 6) 6 domain(<r) 
_L otherwise. 



(1) 



We say a is associative if (aab)ac = aa{bdc) holds for all a,b,c £ E*. We say a is 
commutative if acrft = Kra holds for all a, b S E*. 



Rabi and Sherman [RS97] use a notion of strong noninvertibility: A 2-ary function a 
is strongly noninvertible if even given the output and an argument, computing the other 
argument is not a polynomial-time achievable task. 

Let us state this formally (see [ RS97 , HR99| ). 



Definition 2.3 A 2-ary function a : E* x E* — > E* is said to be strong if no polynomial- 
time computable function g : E* — > E* satisfies either of the following two conditions: 

• For all c in the image of a and for all a € E*, if there is some b E E* with aab = c, 
then a(a, g((a, c})) = c. 

• For all c in the image of a and for all b G E*, if there is some a € E* with aa6 = c, 
then a(g((b,c)),b) = c. 

Note that strongness implies noninvertibility. 

Finally, we define bounded "many-to-one" -ness. Denote the set of nonnegative inte- 
gers by N. 



Definition 2.4 Let h : N — > N be any total function and let a : E* x E* — > E* be 
any function. We say <r is h(k) -to-one if for every 6 of length k in the image of o~, the 
cardinality^] of the preimage of b under a is at most h(k). 



a is not defined at (a, b).) The distinction between these two notions of associativity, in brief, can be 
explained via Kleene's [Kle52, pp. 327-328] distinction between complete equality and weak equality for 
partial functions; see [HR99 for a discussion of some weaknesses of weak associativi ty. 



2 A change made by a journal copyeditor inserted a typo into Definition 2.3 of [HR99|. Line 27 of 
page 651 of HR9£] should correctly read as equation (Fh given here (note the occurrence of "a 7^ _L" 



rather than the typo "a 7^ 1"). 

3 Throughout this paper, for any function / (even if / happens to be one-to-one) and for any image 
element z of /, we mean by "the preimage of z under /" the set of all domain elements mapped to z 
by a. 
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3 Progress on Algebraic and Security Properties for One- 
Way Functions in Worst-Case Cryptography 

3.1 Rabi and Sherman: Weakly Associative One- Way Functions Exist 
If and Only If One- Way Functions Exist 

The "original" result about one-way functions is: 



Theorem 3.1 (sec [pDG95| 1 and fSd92[ , Proposition 1]) P / NP if and only if one-way 
functions exist .0 

However, writers of (even worst-case) cryptographic protocols began to desire 
stronger building blocks than these vanilla one-way functions — in particular, one-way 
functions with enhanced algebraic and security properties. In fact, according to [R.S93|, 
this idea was suggested in 1984 by Rivest and Sherman with respect to secret-key agree- 
ment. 

This excellent, insightful idea of Rivest and Sherman led to the important 1993 paper 
of Rabi and Sherman ( [ RS93 ] , see also the journal version lRS97|l ), which proposes explicit 
protocols that exploit such algebraic and security properties as strong noninvertibility, 
totality, commutativity, and weak associativity. This of course raised the issue of whether 
one-way functions with these properties were likely to exist. Rabi and Sherman prove 
the following result. 



Theorem 3.3 [RS93.RS97] Weakly associative, commutative one-way functions exist 
if and only if one-way functions exist. 

Interestingly, their proof technique is quite different from the techniques used to 
study one-to-one one-way functions. 

4 This result is widely known and cited, but the authors have yet to find an attribution as to who first 
discovered it. 



For the special case of one-to-one one-way functions (see the excellent survey by Selman [Sel92|), the 
history is much clearer. The analogous theorem for those is the following. 



Theorem 3.2 | GS8S ,Ko85 Ber77| One-to-one one-way functions exist if and only if P 7^ UP, where 



UP is Valiant's unambiguous polynomial time | Val76 



This theorem was found independently by Grollmann and Selman [GS8£] and Ko [Ko85], and Berman's 



thesis |Ber77| independently obtained essentially the same result (see [ 3el92|). 

To avoid possible confusion, we mention that though our Definition 2.1 (and this entire article) does 



not require one-way functions to be one-to-one, some authors do mean "one-to-one one-way function" 
when they write "one-way function." 
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Note, however, that the proof of Theorem 3.2 does not achieve totality, associativity 
(as per Definition |2,2| ), or strongness. Another result due to Rabi and Sherman is the 
following. 



Theorem 3.4 [RS93,RS97] No total, one-to-one, weakly associative one-way functions 
exist. 



3.2 Hemaspaandra and Rothe: Strong, Total, Commutative, Associa- 
tive One- Way Functions Exist If and Only If One- Way Functions 
Exist 

One key worry with the protocols discussed by Rabi and Sherman is that their key 
characterization result, Theorem [T^, is not strong enough to ensure that (with at least 
the same certainty as that with which vanilla one-way functions exist) there exist one- 
way functions having the properties the protocols of Rabi, Rivest, and Sherman require. 
For example, strong noninvertibility is important for the protocols, and a lack of totality 
would severely decrease their applicability. 

Hemaspaandra and Rothe remove this worry by proving that spiffy one-way functions 
are just as likely to exist as vanilla one-way functions. In particular, they prove the 
following result. 



Theorem 3.5 [HR99] Strong, total, commutative, associative one-way functions exist 
if and only if one-way functions exist. 



Professor One: Gotcha! Theorem 3.5 is about associative one-way functions as in 



Definition 2.2, yet the protocols of Rivest et al. require weakly associative one-way 
functions. And in one of your overlong footnotes you claim that weak associativity 
is different than associativity by which, I suppose, you mean provably different. 

Professor Way: That's right. But, firstly, every associative function outright is weakly 



associative, so Theorem 3.5 does provide the type of one-way function needed for 
the protocols. Secondly, for total 2-ary functions such as those of Theorem |3.5| , 



the two notions of associativity coincide anyway; look at [ HR99 , Proposition 2.4] if 
you don't see why these claims hold. Thirdly, note that most results of | HR99(| and 
of RS97] are shown, in | HR99| 1, to hold both for associative and weakly associative 
one-way functions. And finally: Motivation time is over, we are in the middle of a 
technical section, so the two of us shouldn't distract the reader from reading the 
results and proof sketches. 
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The proof of Theorem 3.5, which will be partially discussed in Section |4|, has two 
parts. One part shows how to establish strongness, associativity, and commutativity. 
The second part shows how the very special strong, associative, and commutative one- 
way function created from any given one-way function in the first part of the proof can 
be extended to achieve totality without destroying any of the other properties. 

Note that this extension is a very specific "conversion to totality." Another result 



of [|HR99| addresses the issue of broader "conversions to totality." In particular, [JRS97] 
gives a construction, call it C, that it asserts lifts any nontotal, weakly associative 
one-way function whose domain is in P to a total, weakly associative one-way function. 
Though it remains possible that this construction in fact always works, under a plausible 
complexity-theoretic hypothesis Hemaspaandra and Rothe | HR99(| show that there will 



be cases on which it fails. 



Theorem 3.6 [HR99] If UP 7^ NP then there exists a weakly associative one-way 



function r such that 

(a) the domain of r is in P, 

(b) there exists some x G X* such that (x, x) is not in the domain of r, and 

(c) construction C fails on r, that is, the total extension of r yielded by C is not weakly 

associative. 

Note that, for construction C to work, both condition (a) and condition (b) are re- 



quired. While in [RS97], without proof, condition (b) is simply assumed to be true for 
every nontotal, weakly associative one-way function, there may well be counterexam- 
ples to this claim. However, for the particular function r constructed in the proof of 
Theorem [O], condition (b) is explicitly shown to hold. Thus, construction C does not 
fail on t (see condition (c)) because it cannot be applied to r, but rather because C does 
not preserve weak associativity. In contrast, C does preserve associativity as defined in 
Definition |2.2| and so is useful in achieving the "conversion to totality" in the second part 



of the proof of Theorem 3.5. 



Finally, what about the issue of injectivity (i.e., one-to-one-ness) for associative one- 
way functions? Theorem |3.4| , due to Rabi and Sherman, states that no total, weakly 
associative function (and so, by the above comment of Professor Way, no total, associative 
function) is injective. However, if one does not require totality then associative, injective 
one-way functions are no less likely to exist than injective one-way functions, which 



expands Theorem 3.2 
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Theorem 3.7 fHR9| ne-to-one, associative one-way functions exist if and only if 
one-to-one one-way functions exist. 



Hemaspaandra and Rothe [HR99] also establish that equivalent to the two conditions 
of Theorem (and thus to the condition "P ^ UP," see Theorem |3.2[ ) is the existence 
of strong, commutative, associative one-way functions that satisfy a certain weak notion 
of injectivity called "unordered injectivity." 

Definition 3.8 A 2-ary function is unordered-injective if for all a, b,c,d € X* with (a, b) 
and (c, d) in the domain of a, a(a, b) = a(c, d) implies {a, b} = {c, d}. 

They left open the issue of whether for total, associative functions — which cannot be 
one-to-one by Theorem |3.4| — also two-to-one-ness is precluded, and what bounds on the 
"many-to-one" -ness of such functions (one-way or otherwise) can be shown to hold. The 
next section gives an answer to the first question and reports on recent progress towards 
resolving the general case. 



3.3 Homan: Amount of "Many-to-One"-ness and its Interaction with 
Algebraic and Security Properties 

Suppose we can encode a message using an associative one-way function, and its intended 
recipient can decode it. Can the space to which the encrypted message is mapped by the 
decoding function be feasibly searched — or is it a haystack? What if the number of poten- 
tial decodings of the encoded message is so large that it cannot be determined in polyno- 
mial time which decoding was the original message? As mentioned in Footnote ||, some 
researchers require one-way functions to always be one-to-one. Others merely require 
that the ambiguity of the possible decodings be polynomially bounded, so that they can 
be efficiently searched. In particular, Allender and Rubinstein | AR88 , A1186| 1 introduce 



"poly-to-one" one-way functions and prove an analog of Theorem 3J- for those functions 
(see also | RH99| 1 for an expansion of their result), and Watanabe | Wat 88 ], Hemaspaan- 



dra and Hemaspaandra [HH94], and others have studied variations of constant-bounded 
ambiguity. But how does bounded "many-to-one" -ness, or even one-to-one-ness, interact 
with algebraic and security properties such as associativity and strongness? 

We have already seen that — whether or not one-way-ness is involved — associativity 
and totality preclude one-to-one-ness (Theorem |3.4| ) . Homan [ Hom9£ ] strengthens this 
result. 



Theorem 3.9 [Hom9£] No total, associative function is constant-to-one. 
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Homan also proves that this bound is tight by providing the following upper bound: 
For each nondecreasing, unbounded function g, there exists an 0(g)-to-one, total, com- 
mutative, associative function. 

Now, let us throw one-way-ness in and ask again: What bounds can one prove on the 
"many-to-one" -ness of one-way functions having the algebraic and security properties 
surveyed in this article? 



Theorem 3.10 [Hom99] If P ^ UP then there exists an C(n)-to-one, strong, total, 



associative one-way function. 

Regarding lower bounds, Homan establishes the following result. 



Theorem 3.11 JHom99 1 For every total, honest, associative function a whose output 



length is bounded by a polynomial in the length of the input, there exists an m € N such 
that a is not o(/ _1 )-to-one, where f(x) = [2 log x] mr ' osa:1 . 

There is a rather wide gap between this lower bound and the upper bound given in 
Theorem 3.10| (under a plausible complexity-theoretic hypothesis). That is, there is a 



gap between the slowest known growth-rate of the "many-to-one" -ness of strong, total, 
associative one-way functions and their slowest possible growth-rate. Closing this gap is 
an interesting open issue. Also open is the degree of "many-to-one" -ness for commutative, 
strong, total, associative one-way functions. 

4 Proof Sketches 

In this section, we present proof sketches for some of the results surveyed and give the 
flavor of some of the different techniques used. 

4.1 Proof Sketches Related to Hemaspaandra and Rothe's Work 



Proof Sketch of Theorem 3.5. Since every spiffy one-way function is a very particular 
vanilla one-way function, it is enough to show how to create, given any vanilla one-way 
function v, a one-way function that is strong, total, commutative, and associative. By 



Theorem 3.1, we can just as well create this function from the assumption that P ^ NP. 



(See Grollmann and Selman [ GS88 | for how to convert any given one-way function into 
a set in NP that is not in P. Although this conversion in Grollmann and Selman is done 
for 1-ary one-to-one one-way functions and P versus UP, the analogous approach works 
cleanly for the case of 2-ary many-to-one one-way functions and P versus NP.) 
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So, given v, let A v be the corresponding set in NP — P. We will now define the little 
brother — call him a — of the spiffy one-way function we are going to construct from A v . 
Think of a as a piece of Swiss cheese, full of plenty of delicious, tasty, carefully made 
cheese, but also full of holes. That is, a will be a strong, commutative, associative one- 
way function, but it will in fact not be total. The big brother of a, then, will be the same 
piece of Swiss cheese, still delicious, tasty, and carefully made, but with its holes plugged. 
That is, it will be the total extension of a — carefully preserving each of <r's algebraic and 



security properties — that is yielded by construction C mentioned in Section p.2| . In this 
survey, we restrict ourselves to making just the Swiss cheese a with holes. 

How do we make cr? First, forget about a being a piece of Swiss cheese. Rather, 
imagine a to be a police officer at work. 

It is a busy morning at the police department. Officer a has many reports on her 
desk describing incidents x that happened last night. Our set A v G NP — P will be the 
set of all incidents that are crimes. (Suppose that, every night, many crimes happen and 
most of them are rather difficult to solve.) A report on Officer cr's desk may contain the 
description of an incident x with a file copy attached to it (such a report has the form 
(x,x)). Another report may contain the description of a crime x with an eye witness's 
statement w attached to it (such a report has the form (x,w)). There are all sorts of 
other reports as well. 

Luckily, Officer a can easily tell incident descriptions apart from witness statements, 
so she always knows whether the report at hand is of the form (x,x) or (x,w). Also, 
Officer a can easily check how reliable a witness is, since they use lie detectors at this 
police department to verify each witness statement taken. 

Every once in a while, Officer a grabs two reports a and b (one with her left hand 
and one with her right hand), reads them both, and chooses one of a and b to pass on 
to her boss, Sgt. a, dumping the other one. Sometimes, she dumps them both. Here is 
how Officer a makes her decision on which reports to pass on and which to dump: 

• Whenever report a is of the form (x, w\) and report b is of the form (x, W2) (that is, 
both describe the same incident x, which appears to be a crime, for there are two — 
possibly identical — witness statements attached to it), Officer a picks one of a and 
b to pass on to Sgt. a, dumping the other one. In particular, she always passes on 
the report containing the shorter (to be more precise, the lexicographically lesser) 
witness statement. 

• Whenever one of the reports has the form (x, x) and the other one has the form 
(x, w) for the same crime x, where w is a witness statement for x, Officer a passes 
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report (x,x) on to Sgt. a, distractedly dumping (x,w) into the waste basket.^ 

• Whenever the reports are not of the form described in the above two cases, Officer a 
dumps them both. 

Now, let us be a bit more formal. A witness for "x 6 A v " is any string w E X* encod- 
ing an accepting path of M on input x, where M is a fixed NP machine accepting A v . 
For each i€i„, define the set of witnesses for "x E A v " by 

WITa/(x) = {w E X* | w is a witness for "x E A„"}. 

We may assume that, for each x E A v , any witness w for "x E A„" is of length p(|x|) 
for some strictly increasing polynomial p, and the length of w is strictly larger than the 
length of x. This assumption is just a technical detail that enables Officer a to tell input 
strings in A v apart from their witnesses, a property that will be useful later on. 

Given any two strings a and b in £*, define a(a, b) as follows: 

• If there is some x E X* for which there exist witnesses w\, u>2 E WITm (x) such that 
a = (x, u;i) and b = (x, ^2), then a(a, b) is defined to be the string (x, min(u)i, W2)), 
where min(u;i,u>2) denotes the lexicographically smaller of wi and W2- 

• If there is some x E X* for which there exists some witness w E WIT^(x) such 
that a = (x,x) and b = {x,w}, or a = {x,w} and 6 = (x,x), then cr(a,6) is defined 
to be the string (x,x). 

• Otherwise, <r(a, 6) is undefined, that is, there is a hole in the domain of a at (a, 6). 

It remains to prove that a has the desired properties. That a is honest and com- 
mutative is immediate. That a is polynomial-time computable can be seen as follows. 
By our assumption that for each x in 4„, the length of any witness string for "x E A v " 
is strictly larger than the length of x, there is no ambiguity in deciding whether it's 
arguments, a and b, are of the form (x,x) or (x,w), where w is a potential witness for 
"x E A v ." Moreover, we can of course decide in polynomial time whether a potential 
witness w for "x E A v " indeed is a witness. 

The strongness of a is shown by way of contradiction. Suppose there is a polynomial- 
time computable function g such that, for any string c in the image of a and for any fixed 
first argument a E X* for which there is some second argument b E X* with aab = c, it 
holds that a(a, g({a,c))) = c. Using g, one could then decide A v in polynomial time as 
follows: 

5 That in part explains why so few crimes are solved in this town. 
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Given any input string x, to decide whether or not x is in A v , compute 
the string g(((x,x), (x,x))). Compute the projections, say u and w, of our 
pairing function at g(({x,x), (x,x))); that is, compute the unique strings u 
and w for which (u,w) = g(((x,x), (x,x))). Accept x if and only if u = x 
and w G WlT M (x). 

This polynomial-time algorithm for A v contradicts our assumption that A v is not in P. 
Hence, a cannot be inverted in polynomial time even if the first argument is given. An 
analogous argument shows that no polynomial-time computable function can invert a 
even if the second argument is given. Hence, a is strong. 

It remains to show that a is associative. Let a,b,c G X* be any fixed arguments 
for a. Let the projections of our pairing function at a, b, and c be given by a = (a±, 02), 
b = (61, 62)1 and c = {c±, C2). Let k G {0, 1, 2, 3} be the number that tells you how many 
of d2, 62, and C2 are elements of WYTm(o-i)- For example, if ai = ci € WITjy(oi), but 
62 WITa/(oi), then k = 2. 



According to Definition 2.2 , we have to show that 

(aab)ac = aa(bac), (2) 

where <r is the extension of a from that definition. 
There are two cases. 

Case 1: Suppose a\ = b\ = c\ and {a^,^^} C {ai} U WITjvf(ai). The intuition in 
this case is that a decreases by one the number of witnesses that may occur in its 
arguments in the following way. 

If zero of cr's arguments contain a witness for u a\ € A" then a is undefined, so a 
outputs _L. 

If exactly one of it's arguments contains a witness for u a± G A" then a — and thus 
a as well — has the value (ai, ai). 

If both of <r's arguments contain a witness for u a\ G A," then a outputs (ai,w), 
where w G {a2)^2;C2} is the lexicographically smaller of the two witnesses. 

From the above we may conclude the following. 

If k G {0, 1} then (aab)ac = _L = aa(bac). 

If k = 2 then (aab)ac = (ai,Oi) = aaibac). 

If k = 3 then (aab)ac = (a\, min(a2, &2> C2)) = aa(bac), where min(a2, 62, C2) de- 
notes the lexicographically smallest of 02, 62, and C2. 
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In each case, equation (|2|) is satisfied. 

Case 2: Suppose case 1 does not hold. This implies that either a\ ^ b\ or a\ ^ c\ or 
61 7^ Ci, or it holds that a\ = b\ = C\ and {02,62,02} % {ai} U WITjv/ In 
either of these two subcases of case 2, one can verify that (aab)ac = _L = aa(bac). 
Thus, in each subcase, equation (Q) is satisfied. 

Hence, a is associative. This completes the proof sketch. | 

Proof Sketch of Theorem |3.6| . Assuming UP 7^ NP, we will show that the "conversion 
to totality" construction of Rabi and Sherman (which was called construction C in 
Section |3.2|) does not preserve weak associativity. 

Construction C works as follows. Suppose we are given any nontotal function r : 
S* x S* -> X* satisfying that (i) the domain of r can be decided in polynomial time, 
and (ii) there exists some string trashbin G X* such that (trashbin, trashbin) is not in the 
domain of r. Construction C converts r into a total function f : X* x S* — > £* defined 
as follows: 

I r(a,b) if (a, b) is in the domain of r 
[ trashbin otherwise, 

that is, trashbin is used to dump all garbage elements of r (i.e., elements on which r is 
not defined). 

We will now define a 2-ary function r that resembles Officer a from the proof of 



Theorem |3.5| . However, unlike a, r will be merely weakly associative. We then show 
that the total extension f that is yielded by applying construction C to r is not weakly 
associative. 

Pick a set L in NP — UP and a nondeterministic polynomial-time Turing machine 
M accepting L. We assume that all technical requirements that were useful in defining 
a also hold in this proof. In particular, for any x € L, all witnesses for "x £ V are of 
length greater than the length of x, and WITjvf(x) is the set of witnesses for x, defined 



as in the proof of Theorem 3.5 



Given any two strings a and b in £*, define r(a, 6) as follows: 

• If there is some x € S* for which there exists some witness w € WITjvf(ic) such 
that a = (x,w) and 6 = (x,w), then r(a,b) is defined to be the string (x, w). 

• If there is some x 6 X* for which there exists some witness it; € WIT^x) such 
that a = (x,x) and b = (x, w), or a = (x,w) and 6 = (x,x), then r(a,b) is defined 
to be the string (x,x). 
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• Otherwise, r(a, b) is undefined, that is, there is a hole in the domain of r at (a, b). 

Note that a and r differ only in the first item of their definitions. It is not difficult 
to see that r is a weakly associative one-way function. So, it remains to prove that 



conditions (a), (b), and (c) of Theorem 3.6 are satisfied. 



Condition (a): The domain of r can be decided in polynomial time, since witness 
checking can be done in deterministic polynomial time and since we can distinguish 
between input strings and their potential witnesses by our length requirement. 

Condition (b): Since L G" UP, we have L / E*; so, there must be a string x not in L. 
Let trashbin = (x, lx). Note that there is no string x G E* for which trashbin = (x,x), 
and there are no strings x G X* and w G WITa/(x) for which trashbin = (x,w) (this 
holds because x L and so it does not have any witnesses). By the definition of t, it 
follows that r is not defined at (trashbin, trashbin). 

Condition (c): Since L UP, there exists a string xq G L that has at least two 
distinct witnesses. Fix the two smallest witnesses, say w\ and u>2 with w\ ^ W2, for 
"xo G L." Let a = (xq,wi), b = (xq,W2), and c = (xq,xq) be three given arguments 
of f. Since f is total, each of (a, 6), (6, c), (a, bfc), and (afb,c) is in the domain of f. 
However, it holds that 

f(f(a, 6), c) = f (trashbin, c) = trashbin ^ {xo, x$) = f(a, (xq, xq)) = f(a, f(6, c)). 

Hence, f is not weakly associative or associative. 1 

4.2 Proof Sketch Related to Homan's Work 



We present the proof of Theorem 3.9. In fact, Theorem |3.9| follows immediately from 



Lemma 4.1 below. 



Lemma 4.1 |Honi99 ] For every n £ N and for every total, associative function (one- 



way or otherwise) a : T,* x S* —> £*, there exists an element z € X* in the image of a 
whose preimage under a is of cardinality at least n. 



Proof Sketch of Lemma 4.1. Let a : X* x S* — > S* be any total, associative function. 



For each string w in the image of a, define two sets L w and R w as follows: 

L w = {x e S* | (x + to) A (3y G £*) [a(x, y) = w}}; 
R w = {y G £* | (y + w) A (3z G £*) [a(x, y) = w]}. 

To prove the lemma, we will show that for every n G N, there exists a string z G X* in 
the image of a for which at least one of the following two conditions is true: 
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(1) the set L z has cardinality at least n; 

(2) the set R z has cardinality at least n. 
We use induction on n. 

For n = 1, pick any two distinct strings o,i 6 S*. Since o is total, acrfe necessarily 
exists. Let z = aab. Since a ^= b, either a / z or t / z (or both), making z satisfy at 
least one of the conditions (1) or (2). 

Let n > 1, and assume that there exists a string z G X* such that at least one of 
conditions (1) and (2) holds true for n. Assume that condition (1) holds for n. (If 
condition (2) holds for n, an analogous argument works.) 

We show that there is a string in S* that satisfies at least one of conditions (1) and (2) 
for n + 1. If the cardinality of the set L z in condition (1) is strictly greater than n, we are 
done. So, suppose condition (1) holds with equality (for n). Then, there exist n pairs of 
strings (xi,y±), . . . , (x n , y n ) G S* x S* each having image z under a and so that the xi 
are pairwise distinct and distinct from z. 

Choose any distinct strings s±, . . . , s n 2 +n+1 G S* not contained in {x\,... ,x n ,z}. 
Since a is total, for alH, 1 < i < n 2 + n + 1, there exists a string m G S* such that 

Ui = zasi = (xioyi)osi = ■■■ = (x n ay n )asi. 

Since a is associative, for all i, 1 < i < n 2 + n + 1, we also have 

Ui = zasi = xia(y 1 as i ) = ■■■ = x n a(y n asi). 

If there exists some i, 1 < i < n 2 +n+l, such that the corresponding string ui is not in 
{xi,... , x n , z}, then {xi, . . . ,x n ,z}CL Ui . Hence, this Ui satisfies condition (1) for n+1. 
(This is the only place where we make use of the assertion "(Vj : 1 < j < n) [xj ^ z]" 
that follows from the definition of L z .) 

Otherwise, for each i, 1 < i < n 2 + n + 1, we have ui G {x\, . . . , x n , z}. Thus, the 
n 2 + n + 1 = (n + l)n + 1 distinct pairs (z, Si) are mapped by a onto the n + 1 strings 
xi,... ,x n ,z. By the pigeon-hole principle, there must exist some z G {xi,... ,x n ,z} 
whose preimage under a has cardinality at least n + 1. 

We claim that z satisfies condition (2) for n + 1. Let S be the set of all Sj, 1 < i < 
n 2 + n + 1, such that a(z, Sj) = z. The above argument shows that the cardinality of S 
is at least n + 1. Since z G {xi, . . . , x n , z] and 

{si, . . . , s„ 2+n+1 } n {xi, . . . ,x n ,z} = 0, 

we have z ^ s, for each i, 1 < i < n 2 + n + l. Thus, S Q R z , which makes z satisfy 
condition (2) for n + 1 and completes the proof. | 
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